Systems and methods for controlled transmittance in a telecommunication system

ABSTRACT

Systems and methods for authenticating digital assets in relation to a telecommunications network. In various cases, the systems include a network interface device associated with a customer premises. The network interface device includes a local authentication authority operable to authenticate one or more digital assets maintained in relation to the customer premises. In some cases, a global authentication authority can authenticate the network interface device, and implicitly authenticate the one or more digital assets. Many other cases and/or embodiments are disclosed herein.

CROSS-REFERENCES TO RELATED APPLICATIONS

The present invention is a continuation of U.S. patent application Ser.No. 11/733,089, entitled “Systems and Methods for ControlledTransmittance In A Telecommunication System,” filed Apr. 9, 2007, andassigned to an entity common herewith, which is a continuation of U.S.patent application Ser. No. 10/632,602, entitled “Systems And MethodsFor Controlled Transmittance In A Telecommunication System,” filed Aug.1, 2003, now U.S. Pat. No. 7,240,361, and assigned to an entity commonherewith, which is a continuation-in-part of U.S. patent applicationSer. No. 10/452,996, entitled “Systems And Methods For DistributingContent Objects In A Telecommunication System,” filed Jun. 2, 2003, nowU.S. Pat. No. 7,376,386, and assigned to an entity common herewith, U.S.patent application Ser. No. 10/356,364, entitled “Packet NetworkInterface Device And Systems And Methods For Its Use,” filed Jan.31,2003, now U.S. Pat. No. 7,180,988, and assigned to an entity commonherewith, U.S. Patent Application No. 10/356,688, entitled “Systems,Methods And Apparatus For Providing A Plurality Of TelecommunicationServices,” filed Jan. 31, 2003, and assigned to an entity commonherewith, U.S. patent application Ser. No. 10/356,338, entitled“Configurable Network Interface Device And Systems And Methods For ItsUse,” filed Jan. 31,2003, and assigned to an entity common herewith,U.S. patent application Ser. No. 10/367,596, entitled “Systems AndMethods For Delivering A Data Stream To A Video Appliance,” filed Feb.14, 2003, and assigned to an entity common herewith, and U.S. patentapplication Ser. No. 10/367,597, entitled “Systems And Methods ForProviding Application Services,” filed Feb. 14, 2003, now U.S. Pat. No.7,433,465, and assigned to an entity common herewith. The presentapplication is related to U.S. patent application Ser. No. 10/632,661,entitled “Systems And Methods For Implementing A Content Object AccessPoint,” filed Aug. 1, 2003, and assigned to an entity common herewith.The entirety of each of the aforementioned applications is incorporatedherein by reference for all purposes.

BACKGROUND OF THE INVENTION

The present invention is related to telecommunication systems. Inparticular, the present invention is related to access controls in atelecommunication system.

Currently, users are authenticated in a telecommunications systemthrough accessing a central authority and providing a user name andpassword. Such an approach can involve congestion about the centralauthority. In some cases, such congestion is unnecessary as theauthentication is to be used only in conjunction with relativelylocalized activities.

Thus, for at least the aforementioned reasons, there exist a need in theart for advanced systems and methods for implementing access controls inrelation to a telecommunication network.

BRIEF SUMMARY OF THE INVENTION

The present invention is related to telecommunication systems. Inparticular, the present invention provides systems and methods forallowing access control to digital assets capable of transfer via atelecommunications system, or other communication system.

Among other things, the present invention provides an authenticationsystem capable of providing authentication services for a plurality ofdigital assets associated with a customer premises. Such digital assetscan include, but are not limited to, customer premises equipment andcontent objects. Some examples of customer premises equipment include,but are not limited to, personal computers, video recorders, dishantennas, and the like. Content objects can include, but are not limitedto, voicemail, email, video, audio, movies, music, games, email, livebroadcasts, user preferences, and the like. In different aspects of thepresent invention, access to digital assets can be provided within acustomer premises, between customer premises, and/or between a customerpremises and a globally accessible site.

Particular embodiments of the present invention provide an implicitauthentication system. Such an implicit authentication system includes anetwork interface device (“NID”) that connects a global communicationnetwork to a local communication network. A local authenticationauthority associated with the NID authenticates one or more customerpremises equipment, and a global authentication authority authenticatesthe NID and by implication the customer premises equipment associatedwith the NID. Thus, the NID is allowed to vouch for the authenticity ofthe customer premises equipment eliminating substantial authenticationtraffic to the global authentication authority.

Various embodiments of the present invention provide methods forauthenticating digital assets. Such methods can provide for comparing auser against accessed digital assets to assure compatibility and/oravailability. Further, such methods can provide for payment in exchangefor distribution of particular digital assets to particular users. Yetfurther, such methods can provide for controlled remote access tocustomer premises equipment. Additionally, the methods may rely onimplicit authentication as described above.

Some embodiments provide systems for authorizing access to digitalassets. Such systems include a global authentication authority that iscommunicably coupled to a global communication network, and a NIDassociated with a customer premises that is communicably coupled to theglobal communication network and to a local communication network. Alocal authentication authority is associated with the NID, and isoperable to authenticate various digital assets maintained in relationto the customer premises. In some cases, the global authenticationauthority is operable to authenticate the NID, and to implicitlyauthenticate at least one of the plurality of digital assets maintainedin relation to the customer premises. In some cases, authenticating thedigital assets maintained in relation to the customer premises involvesaccessing a digital security device associated with particular digitalassets. Such security devices can be a digital certificate or a digitalpass. Such authentication can be accomplished using digital securitydevice associated with a digital asset. The local authenticationauthority and the global authentication authority can issue and storedigital security devices, and the network interface device can registerand retrieve digital security devices with the local and globalauthentication authorities. A digital pass allows communication accessto digital assets, while a digital certificate allows authorization ofcontent object distribution and/or distribution of content objectsobtained from customer premises equipment.

In particular cases, authenticating the NID includes registering thedigital security devices at the global authentication authority. The NIDis operable to access the digital security devices, and to register thedigital security devices with the global authentication authority and/orthe local authentication authority. In various cases, the localcommunication network extends within the customer premises, while theglobal communication network extends external to the customer premises.

Other embodiments of the present invention provide systems forauthorizing access to digital assets that include two or more digitalasset sources. At least one of the digital asset sources is communicablycoupled to a number of digital assets that are maintained in relation toa customer premises, and to a communication network. Another digitalasset source is operable to request a digital asset from theaforementioned digital asset source, and is also communicably coupled toanother communication network. Each of the digital asset sources isassociated with respective authentication authorities. In particularcases, both digital asset sources are associated with respectivecustomer premises, while in other cases, at least one of the digitalasset sources is not associated with a customer premises.

Yet other embodiments of the present invention provide methods forauthorizing access to digital assets. Such methods include receivingaccess information from a NID, based at least in part on the accessinformation, implicitly authenticating a digital asset associated withthe network interface device. Such access information can include, butis not limited to, a security device received from either a globalauthentication authority or local authentication authority. In somecases, the NID is associated with a customer premises, andauthenticating the NID includes receiving at least one digital securitydevice associated with a digital asset maintained in relation to thecustomer premises.

Authenticating the NID can further include registering the variousdigital security devices associated with respective digital assets. Insome cases the digital asset is a content object, while in other cases,the digital asset is a customer premises equipment. Content objects caninclude, but are not limited to, a recorded audio, a live audio, a livevideo, a recorded video, an email, a live chat, and a game. Customerpremises equipment can include, but is not limited to, a video recorder,an audio recorder, a storage device, a personal computer, a PDA, amobile telephone, a dish antenna, a television, a refrigerator, and asecurity equipment. Security equipment can include gate locks, doorlocks, cameras, and/or the like.

This summary provides only a general outline of some embodimentsaccording to the present invention. Many other objects, features,advantages and other embodiments of the present invention will becomemore fully apparent from the following detailed description, theappended claims and the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

A further understanding of the nature and advantages of the presentinvention may be realized by reference to the figures which aredescribed in remaining portions of the specification. In the figures,like reference numerals are used throughout several figures to refer tosimilar components. In some instances, a sub-label consisting of a lowercase letter is associated with a reference numeral to denote one ofmultiple similar components. When reference is made to a referencenumeral without specification to an existing sub-label, it is intendedto refer to all such multiple similar components.

FIG. 1 illustrate a system in accordance with some embodiments of thepresent invention.

FIG. 2 depicts a detailed portion of the system of FIG. 1.

FIG. 3 illustrates a data structure useful in relation to someembodiments of the present invention.

FIGS. 4 and 5 illustrate various demarcation devices and systemsassociated therewith that can be used in relation to embodiments of thepresent invention.

FIGS. 6 and 7 illustrate various methods in accordance with embodimentsof the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The present invention is related to telecommunication systems. Inparticular, the present invention provides systems and methods forallowing access control to digital assets capable of transfer and/orproviding transfer via a telecommunications system, or othercommunication system.

Among other things, the present invention provides an authenticationsystem capable of providing authentication services for a plurality ofdigital assets associated with a customer premises. As used herein,references to “customer premises” are intended to refer to physicalstructures under the control of a customer through ownership, leasehold,or any other property right. The term is not intended to encompass openreal property external to the physical structures, even if such openreal property is also under the control of the customer. Such adefinition reflects differences in accessibility to the physicalstructures and surrounding open real property. Access to the physicalstructures generally requires the presence of the customer or arepresentative of the customer, while access to the surrounding openreal property may be obtained by permission from customer, through aneasement, or by other means that does not require the physical presenceof the customer. Thus, for example, in the case of a residentialcustomer, the customer premises may correspond to the customer's home,but does not include the yard surrounding the home. Access to the yardmay be obtained even when the customer is not home, such as when thecustomer is at work, is shopping, or is otherwise unavailable to bephysically present.

Also as used herein, authentication services can be any communicationprocess whereby a particular entity is determined to be the entity thatit claims to be, and/or is determined to have the authority it claims tohave. For example, if a laptop computer claims to be device XYZ, theauthentication service would determine and confirm that the laptop inquestion is indeed device XYZ and not another device. As anotherexample, if user ABC claims to have access to device XYZ, theauthentication service would determine and confirm that ABC does indeedhave authority to access device XYZ. In some cases, the terms validationand security may herein be used interchangeably with authentication.

Particular embodiments of the present invention provide an implicitauthentication system. Such an implicit authentication system includes anetwork interface device (“NID”) that connects a global communicationnetwork to a local communication network. A local authenticationauthority associated with the NID authenticates one or more customerpremises equipment, and a global authentication authority authenticatesthe NID and by implication the customer premises equipment associatedwith the NID. Thus, the NID is allowed to vouch for the authenticity ofthe customer premises equipment eliminating substantial authenticationtraffic to the global authentication authority.

Various embodiments of the present invention provide methods forauthenticating digital assets. Such methods can provide for comparing auser against accessed digital assets to assure compatibility and/oravailability. Further, such methods can provide for payment in exchangefor distribution of particular digital assets to particular users. Yetfurther, such methods can provide for controlled remote access tocustomer premises equipment. Additionally, the methods may rely onimplicit authentication as described above.

Some embodiments of the present invention provide methods for processingdigital certificates at a customer premises, and addressing the contentobjects to specific customer premises equipment, or to a localcommunication network maintained within the home. Thus, methods inaccordance with the present invention can be used for contentfulfillment purposes, to make secure payments, and/or the like. In somecases, the digital certificates will be registered with a globalcertificate authority maintained by a content provider, or implementedas a third party verification service. These digital certificates canthen be validated against a certificate authority. In some cases, ahierarchical certificate authority is implemented including local,global, and/or provider certificate authorities.

In some cases, digital certificates are issued for customer premisesequipment and for content objects. As used herein, a “content object” isbroadly defined to include any group of information that can be accessedvia a communication network. Thus, for example, a content object can be,but is not limited to: a pre-recorded digital video segment, a livedigital video segment, a pre-recorded digital audio segment, a livedigital audio segment, a data file, a voice mail message, a digitalpicture, and/or the like. “Customer premises equipment” and “CPE” arcintended to refer to any device that creates, sends, receives, orotherwise utilizes content objects. Content objects and customerpremises equipment are referred to herein collectively as digitalassets.

In particular cases, the local certificate authority is implemented inassociation with a NID. This can include implementing the localcertificate authority as part of the NID, or communicably coupled to theNID via a local communication network extending within the customerpremises. By providing this functionality to a NID, the authenticationservices can be accessed across the local communication network, andwhere it is not required, authentication services do not have to includeaccessing components associated with networks extending outside of thecustomer premises. Further, such an approach allows the NID to performauthentication services in relation to digital assets maintained inrelation to the customer premises. Thus, when occasion requiresauthentication on a global communication network, the NID can beauthenticated by a global authentication authority, and digital assetspreviously authenticated by the NID can be implicitly authenticated bythe global communication authentication authority. This implicitauthentication can include acceptance of the authenticity of the digitalassets as affirmed by the NID.

Such authentication can include receiving digital certificatesassociated with the NID and various digital assets maintained inrelation to the customer premises. These digital certificates can thenbe registered with an appropriate authentication authority, thusallowing for communications at a level designated by the digitalcertificates to occur. When new digital assets are installed, the NIDmay automatically update the digital certificates with the variousauthentication authorities, or await the need to perform suchauthentication.

In particular cases, a global authentication authority provides a chipor module that can be installed in the NID. This chip or module includesan encoded version of the digital certificate for the NID, and iscreated such that when the digital certificate is received from the NID,there is a high degree of surety that the NID identified in the digitalcertificate is authentic. Further, this chip or module is capable ofidentifying the various digital assets maintained in relation to thecustomer premises, obtaining digital certificates for each of them froma digital certificate authority, and to associate the identity with therespective digital certificates.

In other cases, the digital certificates are created locally by a localcertificate authority, and identify the customer premises where thedigital certificate is being created. In such cases, the NID can assurethat only content objects with digital certificates matching thecustomer premises are served onto the global communication network.Alternatively, or in addition, content objects that were received fromthe global communication network can be queried to determine if theyinclude redistribution rights. Where redistribution rights exist, andthe content object has not been modified, the content object can also beserved onto the global communication network. This helps to assure thatcontent objects are only used at the destination that paid for them, ifthat represents the terms under which the content object was obtained.Further, it helps to assure that content objects served from a customerpremises include the correct indication of the customer premises, thuslowering the incidence of users introducing malicious content onto theglobal communication network.

Further, content providers will also be able to register their contentobjects with a global certificate authority. This can include theprovider placing a digital certificate on any content objectsdistributed by the provider. These digital certificates remain in tactas long as the content object is not in any way modified, or otherwisecorrupted. Thus, when a content object is requested by a user, theauthenticity of the content object can be tested. This helps toalleviate the occurrence of malicious code or viruses distributed withcontent.

In some cases, home users have a digital certificate that is assigned tothem, and via this digital certificate, they can request services and/orcontent objects from providers. Using the digital certificate associatedwith the user, the provider can validate the requests. Where a contentobject is requested, the content object can come wrapped with a digitalcertificate indicating the provider and the requestor. Thus access tothe provide content object can be limited to the user. Any modificationof the digital certificate and/or the content object will damage thecontent object. As another example, the user's digital certificate maybe associated with content objects produced at the customer premisesincluding, for example, emails, voicemails, live camera feeds, and thelike. Where this association occurs, access to the content objects maybe limited to the user identified in the digital certificate. In somecases, the user's digital certificate is replaced with that of the NID.In such cases, a content object received from a provider may be limitedin use by customer premises equipment registered with the NID at thetime the content object was requested. It should be noted that not alldigital assets will include digital certificates, and content objectsmay or may not be encrypted whether a digital certificate is used ornot. In some cases, the digital certificate is simply used as a digitalpass to indicate a requestor.

From the disclosure provided herein, one of ordinary skill in the artwill appreciate a myriad of advantages obtainable through using systemsand methods in accordance with the present invention. For example,various systems and methods allow for authenticating users and/orservices that are trying to make changes to the configuration of theNID, authenticating users and/or services that are trying to delivercontent to the customer premises, and authenticating users and/orservices that are trying to access digital assets maintained in relationto the customer premises. Other examples of advantages include providingvalidation for data/configuration request from the customer premises,validation of data/configuration sent to the customer premises, and thelike.

Digital certificates can include information useful to uniquely identifya customer premises equipment. Thus, digital certificates may employ aMedia Access Control identification (MAC ID). In some cases, the MAC IDis augmented with a serial number of the customer premises equipment, orsome other number to render the identification unique. Alternatively, anumber can be assigned by the global certificate authority or localcertificate authority that is then incorporated with the MAC ID.

A remotely accessible security system provides one example illustrativeof various systems and methods in accordance with the present invention.In the example, a customer premises is equipped with a security cameraand an electronically controlled lock. In such an application, onlycertain privileged users can obtain authorization to access images fromthe camera and/or actuate the electronically controlled lock. Digitalcertificates can be used to authenticate the lock and camera, and toauthorize access to the lock and camera. Other examples that illustratevarious systems and methods of the present invention includedistribution of content across a communication network where digitalcertificates are used to authenticate the content and/or the equipmentproducing the content, and digital passes can be used to authorizeaccess to the content. In some cases, content, digital certificates,and/or digital passes can be encrypted. Encryption can be used protectagainst ‘hackers’ who try to steal the digital certificate in order toaccess digital assets without permission. Such protection can beparticularly useful when digital assets are private or sensitive innature.

Turning to FIG. 1, a system 1100 in accordance with some embodiments ofthe present intention is illustrated. In system 1100, a globalcommunication network 1120 communicably couples a content provider 1130and one or more NIDs 1110 associated with respective customer premises1150. Global communication network 1120 can be any communication networkcapable of transferring information to/from a site external to customerpremises 1150 to/from customer premises 1150. In some cases, globalcommunication network 1120 is the Internet. Based on the disclosureprovided herein, one of ordinary skill in the art will appreciate anumber of other network types that can be utilized in accordance withembodiments of the present invention. Content provider 1130 can be anysource of content objects that are distributable via globalcommunication network 1120. Thus, for example, content provider 1120 canbe a telecommunication service provider or a cable television provider.Based on this, one of ordinary skill in the art will recognize othercontent providers.

Content provider 1130 is associated with a provider authenticationauthority 1132, a provider certificate authority 1134, and a database1136 where content objects are maintained. Provider certificateauthority 1134 can be responsible for registering digital certificatesfrom approved NIDs, users, and/or digital assets. Further, providercertificate authority 1132 can be responsible for creating and/orassigning digital certificates to content objects maintained on database1136. In addition, provider certificate authority 1132 can beresponsible for requesting a digital certificate from a globalcertificate authority 1124 as further described below. Providerauthentication authority 1132 can be responsible for receiving digitalcertificates and approving the NID, user, and/or digital assetassociated with the digital certificate. Where the digital certificateis approved, the entity associated with the digital certificate iscapable of some level of access to content objects maintained ondatabase 1136, or to provide content objects to database 1136.

Global certificate authority 1124 and a global authentication authority1122 are also communicably coupled to global communication network 1120.Global certificate authority 1124 is a third party digital certificateprovider responsible for creating and/or assigning digital certificatesto digital assets upon request of a local certificate authority 1176,1180 or provider certificate authority 1134. Global authenticationauthority 1122 is a third party authentication service responsible forreceiving digital certificates, and approving the NID, user, and/ordigital asset associated with the digital certificates.

NIDs 1110 include local authentication authorities 1112 responsible forreceiving digital certificates, and approving the NID, user, and/ordigital asset associated with the digital certificates. In particular,local authentication authority 1112 is capable of identifying digitalassets maintained in relation to customer premises 1150, and assuringthat the digital assets arc what they claim to be. Further, localauthentication authority 1112 can register digital certificatesassociated with the digital assets, and can represent the digital assetsto other entities on global communication network 1120 as having beenverified. This will allow for implicit authentication, reducing theamount of authentication being done globally. In addition, where the NIDis at least in part controlled by a provider, the security ofinformation passed on global communication network 1120 can beincreased.

As illustrated, NIDs 1110 are communicably coupled to respective localcommunication networks 1160 that extend through the respective customerpremises 1150. Local communication networks 1160 can be any type ofcommunication networks or combination of communication networks capableof passing content objects within customer premises 1150. Various CPE1170, 1172, 1182, 1184 can be communicably coupled to communicationnetworks 1160. Further, a storage device 1176, 1186 that includes one ormore content objects can also be communicably coupled to localcommunication networks 1160. Such storage devices may include hard diskdrives associated with a microprocessor for accessing information fromthe hard disk drive. Each of the aforementioned authenticationauthorities and certificate providers can be implemented onmicroprocessor based devices, such as, for example, personal computers,servers, mainframes, imbedded modules, and/or the like.

As will be further appreciated from the discussion below, using theaforementioned system, registration can be provided for various digitalassets. This registration can include registering a NID with either thecontent provider, or with the network itself. Such registration canallow network based services to be accessed throughout the home andnetwork based on digital certificates. Thus, for example, the networkinternal to the home can rely on locally registered CPE and contentobjects, while accesses external to a customer premises can rely onglobal registrations. When a new component is installed such as anattached application to the NID, the component can send its digitalcertificate via the network to the Certificate Authority database.Further, digital certificates can be temporary, assigned and revoked, orprovided on a permanent basis.

In some cases, the digital certificates are maintained with the contentobject in a common package that can be referred to as a security filestructure. A content object can consist of a header with networkinformation, and a packet section. The security file structure ismaintained in the data section, and can be interleaved with the data, orappended to the data. The data can in some cases be encrypted,unencrypted, protected, unprotected, or some combination thereof. In oneparticular embodiment the digital certificate can be an X.509 Protocol.This protocol can include a version or certificate format indication, aunique identifier, a signature algorithm used to sign the certificate,an issuer name or certificate authority name, the identity of the entityto which the certificate is issued, the period of validity of thecertificate, and any decryption information.

Various validation processes can be used in relation to the digitalcertificates. These validation processes can provide for assuring thatthe proper content objects are transmitted, and that the content objectsare provided from safe sources, and that the content objects do notinclude any malicious code. In addition, the digital certificates can beused to facilitate secure payments and the like.

Turning to FIG. 2, a flow diagram 1200 illustrates a method for implicitauthentication in accordance with some embodiments of the presentinvention. Following flow diagram 1200, a NID or other localauthentication device identifies various digital assets includingcontent objects and/or CPE (block 1210). Each of these identifieddigital assets are then authenticated by the local authenticationauthority (block 1220). This can include assigning a digital certificateto each of the identified devices, and/or requesting a previouslyassigned digital certificate from the various devices. Alternatively, itcan simply include identifying the device through a MAC ID, or someother identifier. From this, a master list of all devices associatedwith the customer premises can be assembled in association with the NID.In some cases, a user associated with the customer premises goes througheach of the devices on the list and indicates whether the device isapproved or not. Thus, in some embodiments, a double authentication isperformed.

At some point, the global authentication authority communicates with theNID (block 1230). This can occur where a request is issued by the NIDfor a content object accessible via the global communication network, orat some other time. This time can be scheduled, or otherwise. Duringthis communication between the NID and the global communication network,the global authentication authority authenticates the NID (block 1240).This authentication can include assuring that a unique identificationnumber associated with the NID, and registered with the globalcommunication network match. Based on this disclosure, one of ordinaryskill in the art will appreciate a number of other authenticationapproaches that can be used in accordance with embodiments of thepresent invention. For example, when the NTD is installed, the installercan register the NID with the global authentication authority. This caninclude the issuance of a digital certificate for the NID from theglobal certificate authority. Thus, when an access to the globalcommunication network is provided via the NID, the NID can beauthenticated by assuring that the digital certificate received from theNID is the same as that registered with the global authenticationauthority. This can be an advantage where the NID is installed by aparty other than that initiating access requests to the globalcommunication network because the party may be trusted. For example, theparty installing the NID may be a third party telecommunicationsprovider, or the same party that maintains the global authenticationauthority.

In addition, the global authentication authority receives the list ofdigital assets previously authenticated by the local authenticationauthority (block 1250). Each device on the list is accepted asauthentic, and is from that point authorized to perform functions inrelation to the global authentication network consistent with the scopeof the authentication (block 1260). Based on the disclosure providedherein, one of ordinary skill in the art will appreciate a variety ofhardware and/or software that can be used to implement the methoddescribed in relation to FIG. 2.

Turning to FIG. 3, other methods for authorizing the transfer of contentobjects are illustrated in flow diagrams 1300 and 1301. Following flowdiagram 1300 of FIG. 3 a, a requestor provides a request for a contentobject (block 1310). Such a request can include, for example, anidentification of the desired content object, and an identification ofthe source of the content object. A digital certificate is associatedwith the request (block 1320). In some cases, this can be the digitalcertificate of the device from which the request is issued, a digitalcertificate associate with the requesting user, and/or a digitalcertificate associated with a NID through which the request is passed.The request is received by the content provider, and the requestor isauthenticated using the digital certificate (block 1330). Thisauthentication can include accessing the global authenticationauthority, or locally via the provider authentication authority. Thecontent provider then associates the content provider's digitalcertificate (including a time stamp) with the requested content object(block 1340), along with the digital certificate provided by therequestor (block 1350).

The requested content object including the digital certificates from therequestor and the provider is communicated to the requestor (block1360). Thus, in some embodiments of the present invention, a contentobject is distributed with information about both the source anddestination of the content object. This an be carried on where thecontent object is later redistributed to indicate additional sources anddestinations. This can be done in such a way that the digitalcertificates may not be removed from the content object without damagingthe content object, or rendering the content object unusable. As justone of many advantages, such an approach can be used to assure thatviruses (or other malicious code) are not attached to content objects,and that if a virus is attached, the attachment point can be identified.Further, the source of a copyright infringement can be identified byusing such information. Upon receiving the content object, the requestorcan authenticate it using the digital certificate associated with thecontent object provider (block 1370). Once authenticated, the requestorcan store the content object to a local storage, or otherwise use thecontent object (block 1380).

Turning to FIG. 3 b, flow diagram 1301 illustrates another methodsimilar to that of flow diagram 1300, except that the content object istransferred by another customer to the requestor. Such contentredistribution can be done in accordance with that disclosed in U.S.patent application Ser. No. 10/452,996, entitled “Systems And MethodsFor Distributing Content Objects In A Telecommunication System,” filedJun. 2, 2003, and assigned to an entity common herewith. Theaforementioned patent application was previously incorporated herein byreference for all purposes. Following flow diagram 1301, a firstcustomer requests a content object from a content object provider (block1305). The request includes a digital certificate which is used by thecontent object provider to authenticate the request (block 1311). Thecontent provider identifies a second customer that has access to therequested content object, and initiates a request to the second customerasking that the second customer provide the requested content object tothe first customer (block 1316). In addition, the content providerprovides a digital certificate designating the content provider, alongwith the digital certificate from the requestor (block 1321). Each ofthese digital certificates is associated with the requested contentobject by the NTD and/or CPE associated with the second customer (block1326). In addition, the second customer associates a digital certificateidentifying the second customer with the content object (block 1331).The content object is then provided to the first customer by the secondcustomer (block 1336). The first customer can then authenticate thecontent object using one or both of the digital certificates from thecontent provider and/or the second customer (block 1341). At this point,the first customer stores the content object, or otherwise uses thecontent object (block 1346).

Turning to FIG. 4, one example of a system incorporating a demarcationdevice and/or network interface device (“NID”) is described. FIG. 4 andthe discussion associated therewith are adapted from the following U.S.Patent Applications that were previously incorporated herein byreference for all purposes: U.S. patent application Ser. No. 10/356,364,entitled “Packet Network Interface Device And Systems And Methods ForIts Use,” filed Jan. 31, 2003, and assigned to an entity commonherewith, U.S. patent application Ser. No. 10/356,688, entitled“Systems, Methods And Apparatus For Providing A Plurality OfTelecommunication Services,” filed Jan. 31, 2003, and assigned to anentity common herewith, U.S. patent application Ser. No. 10/356,338,entitled “Configurable Network Interface Device And Systems And MethodsFor Its Use,” filed Jan. 31, 2003, and assigned to an entity commonherewith, U.S. patent application Ser. No. 10/367,596, entitled “SystemsAnd Methods For Delivering A Data Stream To A Video Appliance,” filedFeb. 14, 2003, and assigned to an entity common herewith, and U.S.patent application Ser. No. 10/367,597, entitled “Systems And MethodsFor Providing Application Services,” filed Feb. 14, 2003, and assignedto an entity common herewith.

A relatively simple configuration 100 for providing telecommunicationservices is depicted. Configuration 100 includes a distribution point104 that can act as a content object origination in communication with adevice 108 having demarcation capabilities via an external transportmedium 112. In this example, external transport medium 112 comprises atransport medium external to a customer premises 116. Device 108 isshown in FIG. 4 as including an application device 109, which is adaptedto interface with an internal transport medium 124. In this example,internal transport medium 124 comprises a transport medium internal tocustomer premises 116. While application device 109 is shown as part ofdemarcation device 108, this is not a requirement. In other instances,application device 109 may be distinct from, but coupled with,demarcation device 108, such as by using a modular design withplug-and-play technology.

In one sense, distribution point 104 may be considered to be a contentobject origination, a source of telecommunication informationtransmitted to the customer premises, and/or a recipient of contentobjects or telecommunication information transmitted from the customerpremises, however, distribution point 104 need not be either theultimate source nor the ultimate recipient of telecommunicationinformation and/or content objects. In certain embodiments, distributionpoint 104 may correspond to a telecommunication service provider's localoffice. In other embodiments, distribution point 104 may correspond toanother network element in the service provider's network, such as aremote termination cabinet and/or a digital subscriber line accessmultiplier (“DSLAM”). More generally, distribution point 104 maycorrespond to any facility operated by a telecommunication serviceprovider that is capable of transmitting telecommunication informationto, and/or receiving telecommunication information from, a customerpremises 116.

Distribution point 104 can be capable of transmitting and/or receivingany type of telecommunication information to/from ANID 107, and suchtelecommunication information can be organized into a plurality ofcontent objects, as necessary. For ease of description, FIG. 4A does notshow any additional sources or recipients of telecommunicationinformation in communication with distribution point 104, but, thoseskilled in the art will recognize that, in many embodiments,distribution point 104 can be coupled to multiple customer premises 116(perhaps via an ANID 107 at each customer premises) and often is neitherthe ultimate source nor the ultimate recipient of telecommunicationinformation. Instead, distribution point 104 can serve as anintermediary between one or more customer premises 116 and one or moretelecommunication networks and/or telecommunication informationproviders, which, as discussed above, can include cable televisionnetworks, telephone networks, data networks, and the like. Further, manysuch networks (as well as, in some embodiments, distribution point 104)can be coupled to the Internet, so that distribution point 104 can serveas a gateway between customer premises 116 and any source and/orrecipient of telecommunication information that has a connection to theInternet. The interconnection of telecommunication networks is wellknown in the art, although it is specifically noted that distributionpoint 104 can be configured to transmit telecommunication information to(and receive telecommunication information from) virtually any source orrecipient of telecommunication information, through either direct orindirect (e.g., through the Internet) communication. Merely by way ofexample, a distribution point 104 can transmit video signals receivedfrom a television programming provider to customer premises equipment,as described in the applications referenced above. In other embodiments,distribution point 104 can be in communication with one or more othercustomer locations, allowing for private virtual circuits, VLAN tags andwavelengths, or RF connections between customer premises 116 and thoselocations.

In configuration 100, ANID 107 can serve as the interface betweenexternal transport medium 112 and customer premises 116. As shown inFIG. 4, usually both demarcation device 108 and the 109 comprised byANID 107 are interfaced with the internal transport medium 124, with thedemarcation device interfaced with the external transport medium 112,although other interfacing configurations arc also within the scope ofthe invention. For example, application device 109 may additionally beinterfaced with the external transport medium 112. The applicationdevice may also include a service interface 111 for addressing theapplication device 109. The service interface 111 may comprise aphysical interface, such as a universal serial bus (“USB”), FireWire(IEEE 1394), registered jack 11 (“RJ-11”), registered-jack 13 (“RJ-13”),registered-jack 45 (“RJ-45”), serial, coax, or other physical interfaceknown to those of skill in the art. In other embodiments, the serviceinterface 111 may comprise a logical interface, such as may be providedthrough a logical connection with an IP address.

As conceptually illustrated in FIG. 4, demarcation device 108 and/orapplication device 109 may be attached to an external wall of thecustomer premises 116. Such attachment may be performed of an integratedANID 107 or may be performed with the components separately of aseparated ANID 107. Such a configuration provides many advantages. Forinstance, if the telecommunication service provider desires to upgradeor otherwise change its network, including, perhaps, external transportmedium 112, a technician can perform any necessary changes atdemarcation device 108 and/or application device 109 as appropriatewithout entering the customer premises. Coupled with the ability of somedemarcation devices 108 to isolate the telecommunication serviceprovider's network from the customer's premises, this can allow thetelecommunication service provider to effect substantial changes in itnetwork without impacting or inconveniencing the customer in anyrespect. This could, for example, allow the telecommunication serviceprovider to upgrade external transmission medium 112 from a coppertwisted pair to optical fiber, without requiring any topological changesinside the customer premises 116. Of course, demarcation device 108and/or application device 109 may be located at a variety of alternativelocations, either within customer premises 116 or at a facility operatedby the telecommunication service provider. In addition, as previouslynoted and as discussed in further detail below, an ANID 107 may also bedivided, with different portions situated at different locations,according to the requirements of the implementation.

Application device 109 is configured so that it may communicate with CPE120, which may be located interior to the customer premises throughinternal transport medium 124. Such communication is used to implementapplications defined by application device 109 with CPE 120 inaccordance with telecommunication information received from distributionpoint 104. In addition, demarcation device 108 may communicate directlywith CPE 120 to implement other functions. While the internal transportmedium 124 may comprise any of the media discussed above, in oneembodiment it comprises existing telephone wiring in customer premises116 and, in some embodiments, is capable of carrying voice, data andvideo information. For instance, as described in Edward H. Frank andJack Holloway, “Connecting the Home with a Phone Line Network Chip Set,”IEEE Micro (IEEE, March-April, 2000), which is incorporated herein byreference, the Home Phoneline Networking Alliance (“HPNA”) standardsallow for simultaneous transmission of both voice information andEthernet frames across twisted-pair copper telephone wiring. In additionto the transmission of telecommunication information through ANID 107,either directly from demarcation device 108 or through the applicationdevice 109, telecommunication information may be transmitted via thereverse path to the distribution point 104. Such telecommunicationinformation received at distribution point 104 may be transmitted to aninformation recipient, such as a service provider. For example, such atransmission may be used to request a pay-per-view movie or the like.Alternatively, telecommunication information received at distributionpoint 104 may be transmitted across the Internet, such as may be used inthe case of sending an email message.

In certain embodiments, ANID 107 can receive state information from acontrol point 128, which is shown in the illustrated embodiment asassociated with distribution point 104. In certain instances, controlpoint 128 can be software and/or hardware operated by atelecommunication service provider for controlling certain features ofthe operation of ANID 107. For instance, control point 128 can instructANID 107 to provide (or cease to provide) particular applications and/ortelecommunication services with application device 109 to the customerpremises 116. Control point 128 can also provide other directions toANID 107 through the demarcation device 108, including, for instance,instructions to save or record a particular information set (e.g., datarepresenting a movie), such that the information set may quickly (and,in some cases), repeatedly be transmitted to customer premises 116,allowing the provision of voice, data, video, etc. on demand.

Often, it may be beneficial to allow the customer to provide stateinformation to ANID 107. Thus, in certain embodiments, control point 128may have a web interface, such that the customer or any authorizedperson, such as an employee of the telecommunication service provider ortelecommunication information provider, may log onto the web interfaceand configure options for ANID 107, perhaps resulting in state commandsbeing transmitted from distribution point 104 to ANID 107. In otherembodiments, control point 128 can be a web interface to ANID 107itself, allowing the customer or other authorized person to configureANID 107 directly. In still other embodiments, control point 128 cancommunicate with ANID 107 through an application programming interface(“API”). Hence, in some embodiments, control point 128 can interfacewith ANID 107 through an API.

In many such embodiments, the API corresponds to the service interface111 of the application device. In embodiments where the serviceinterface 111 comprises a logical interface, the API can include a setof software, hardware, or firmware routines or libraries that may beinvoked programmatically to configure or relay information to theapplication device 109. In that sense, then, control point 128 can beunderstood to be a program running on a computer, perhaps located atdistribution point 104 or customer premises 116, among other locations,that provides state information to application device 109 via a softwareAPI.

In other embodiments where the service interface 111 comprises aphysical interface such as those described above, the API may beaccessed locally, such as by a service technician. For example, theservice technician could visit property outside the customer premises116, attach a laptop computer or other device to the physical serviceinterface 111, and upload information to the application device 109,including perhaps both state information, as well as othertelecommunication information. In still other embodiments, applicationdevice 109 can accept state information through other means, including,for example, through a web interface by receiving a specially formattedelectronic message. This is especially the case in embodiments whereapplication device 109 is capable of acting as a web server, asdiscussed below.

The addressability of application device 109 may be used in variousembodiments to change the state of the application device 109. Suchstate information can include any set of data or other information thatmay be interpreted by application device 109 as defining operationalinstructions. This includes, for example, commands to process certaininformation sets in certain ways, e.g., to provide protocol conversion,to allow transmission of the information set, to deny transmission ofthe information set, to direct transmission on a particular interface,and the like, as well as commands to provide or cease providing aparticular service, such as to provide access to a pay-per-view movie oran additional telephone line. Thus, in certain aspects, atelecommunication service provider can control the application servicesprovided to a customer in several ways. First, the provider can onlytransmit a telecommunication information set to an ANID 107 if the userof that device is authorized to receive the application serviceassociated with that information set. Alternatively, the serviceprovider could send one or more application services to a customer'sANID 107, and rely on the state of the component application device 109to prevent unauthorized access to those services.

Those skilled in the art will appreciate that certain control methodsare better suited to certain services than to others. For instance, withrespect to cable television services, the same set of information may bebroadcast to many households, and ANID 107 is well-suited to controlaccess to those services, allowing for greater efficiency in theproviding of such services. In contrast, video on demand services mayinstead be controlled at a distribution point 104 or elsewhere such thata particular ANID 107 only receives video-on-demand information if thecustomer already has requested and been authorized to receive thatservice. In such cases, ANID 107 may not need to provide access controlfunctions with respect to that service.

According to some embodiments, ANID 107 can implement either of theseaccess control schemes, or both in combination, as well as others.Moreover, ANID 107 can, in some cases, be configured to support aplurality of schemes transparently. For instance, the customer couldrequest a service from ANID 107, perhaps using one of the methodsdiscussed above, and ANID 107 could relay that request to theappropriate telecommunication service provider and/or telecommunicationinformation provider, as well as reconfigure itself to allow access tothat service, if necessary. Of course, ANID 107 can also be configuredto take any necessary validating or authenticating action, such asnotifying distribution point 104 and/or control point 128 that theservice has been requested, and, optionally, receiving a returnconfirmation that the service has been authorized.

In accordance with other embodiments, state information sent to ANID 107can include one or more commands to interface with a particular CPE in acertain way. For instance, state information could instruct ANID 107 toturn on and/or off certain lights or equipment, perhaps via additionalequipment, or to arm, disarm or otherwise monitor and/or configure ahome security system. State information can also include operationaldata such as an IP address, routing information, and the like, to namebut a few examples.

State information can further include instructions to modify one or moresecurity settings of ANID 107. Merely by way of example, in certainembodiments, ANID 107 can include a computer virus scanner, and stateinformation can include updated virus definitions and/or heuristics.Likewise, ANID 107 often will be configured with access controls, suchas to prevent unauthorized access through ANID 107 by third parties.State information can include instructions on how to deal withparticular third-party attempts to access ANID 107 or internal transportmedium 124. Those skilled in the art will recognize as well that somesecurity settings may specify the level of access the customer has tothe functions of ANID 107, such as to prevent unauthorized use ofcertain telecommunication services, and that these settings also may bemodified by received state information.

There are a variety of ways in which the various access-control andsecurity functionalities of ANID 107 discussed above may be implemented.In different embodiments, these functionalities may be performed by thedemarcation device 108, by the application device 109, by a combinationof the demarcation and application devices 108 and 109, and/or by stillother components that may additionally be comprised by ANID 107.Moreover, the state information that manages such functionalities maysometimes be sent periodically to ANID 107 to ensure that it is current.Those skilled in the art will also recognize that state information canbe considered a subset of the broader category of telecommunicationinformation.

Based on this disclosure, one of ordinary skill in the art willappreciate that a number of demarcation devices, NIDs, and/orencompassing systems can be used to implement the systems and methods inaccordance with the present invention. For example, U.S. patentapplication Ser. No. 10/367,597, entitled “Systems And Methods ForProviding Application Services,” describes a number of other examplesthat could also be used in accordance with the present invention. Theaforementioned patent application was previously incorporated byreference for all purposes.

The aforementioned patent application additionally provides disclosureregarding mechanical and electrical characteristics of NIDs useful inrelation to the present invention. In relation to FIGS. 5A-5C, adiscussion adapted from the aforementioned application is provided. Incontrast, FIG. 5D depicts another embodiment of a NID in accordance withsome embodiments of the present invention. Turning to FIGS. 5A and 5B,one example of a NID 200 is illustrated. For purposes of illustration,FIG. 5A provides a top view that explicitly shows components within NID200, while FIG. 5B provides a side view that shows the logicalorganization of NID 200 without the components. In the illustratedembodiment, NID 200 comprises a clamshell design, with a lid portion 204and a body portion 208 connected by hinges 212A and 212B. Body portion208 comprises a network area 216 and a customer area 220. Generally,network area 216 is adapted to receive a cover and is designed generallyto be accessible only to personnel authorized by the telecommunicationservice provider. In contrast, when NID 200 is open, the customer canaccess customer area 220 to add or remove components as desired. In thisand other ways, NID 200 serves to isolate the telecommunication serviceprovider's network from the customer's network, as described above.

NID 200 can include a first interface 228 for communicating with theprovider's external transport medium. Those skilled in the art willrecognize that, in some embodiments, as described above, the externaltransport medium may comprise the twisted-pair copper “local loop”running from the customer's premises to the telecommunication serviceprovider's local office, and interface 228 will allow for the attachmentof the local loop to NID 200. As discussed above, in other embodiments,the external transport medium can be any of a variety of other media,including satellite transmissions, wireless transmissions, coaxialcable. In fact, in certain embodiments, the external transport mediumcan comprise multiple transport media (of the same or different types),for which NID 200 could include multiple interfaces. In some suchembodiments, NID 200 can function to couple a plurality of externaltransport media to one another, seamlessly increasing the bandwidthavailable to the customer premises. For instance, a customer premisesmight have a satellite link to one telecommunication service providerand an ADSL link to another provider, and NID 200 could combine ormultiplex these two links to provide an apparent single,higher-bandwidth to the customer premises. Similarly, those skilled inthe art will recognize that in certain of these embodiments, aparticular external transport medium, such as a satellite link, may bemore well-suited to one way transmission of telecommunicationinformation; in such cases, NTD 200 could use a second externaltransport medium, such as an ADSL link, to allow transmission in theother direction.

Interface 228 can be coupled to a discrimination device 232, which canbe operative to separate information sets received on interface 228,and, conversely, aggregate information sets for transmission oninterface 22. Merely by way of example, in particular embodiments,discrimination device 232 can separate POTS information from othertelecommunication information and/or isolate signals on the internaltransport medium from the external transport medium and vice versa. Insome embodiments, for instance xDSL implementations, discriminationdevice 232 can comprise one or more filters. Such filters can include,but are not limited to, high-pass, low-pass, and/or band-pass filters.For instance, in an xDSL implementation, discrimination device 232 mightinclude a high-pass and/or low-pass filter for separating high-frequency(e.g., data) from low frequency (e.g., POTS) information. In otherembodiments, discrimination device 232 can comprise many other types offilters, including both digital and analog filters. Discriminationdevice 232 can be operable to separate information sets through avariety of criteria, including for example, by frequency, by destinationdevice, information type, and/or frequency. Further, in certainembodiments, information sets can be multiplexed (for instance, usingvarious time-division multiplexing or wave-division multiplexing schemesknown in the art) for transmission over an external transport medium,and discrimination device 232 can comprise a demultiplexer capable ofseparating multiplexed signals and, optionally, routing each signal tothe necessary destination.

In the illustrated embodiment, discrimination device 232 is incommunication with a second interface 236, which can interface with thetelephone wires at the customer premises to provide traditional analogtelephone service. In some embodiments, an aggregator 240 can besituated between discrimination device 232 and interface 236 to allowadditional, perhaps non-POTS, information sets to be sent and receivedthrough interface 236 simultaneously with the POTS information. This caninclude, for example, aggregating information sets for transmission ofan HPNA signal over an internal transport medium.

The discrimination device can also be coupled to a processing system244, which in the illustrated embodiment is located in the lid portion204, and all non-POTS information sets can be routed to processingsystem 244 for additional processing. Processing system 244 is describedin detail below, but can, in general, comprise one or microprocessors,including digital signal processor (“DSP”) chips, memory devices,including both volatile and nonvolatile memories, and storage devices,including hard disk drives, optical drives and other media. In fact,processing system 244 can comprise the equivalent of one or morepersonal computers, running any of a variety of operating systems,including variants of Microsoft's Windows™ operating system, as well asvarious flavors of the UNIX™ operating system, including open sourceimplementations such as the several Linux™ and FreeBSD™ operatingsystems.

Telecommunication information or content objects can be processed byprocessing system 244 in a variety of ways, including, for example,routing a given content object to a particular interface, transforminginformation such as by encoding and/or decoding information andconverting between different transport protocols, storing information,filtering information, and any of the other functions described hereinwith respect to processing systems. In certain embodiments, processingsystem 244 can serve as the termination point for an external transportmedium; for instance, processing system 244 can incorporate thefunctionality of an xDSL modem. In other embodiments, processing system244 can serve to identify quality-of-service requirements (for instance,latency requirements for voice transmissions and bandwidth requirementsfor streaming media transmissions, to name a few) and enforce thoserequirements, ensuring that sufficient bandwidth is provided to aparticular device, network segment or application to maintain thequality of service required.

In the illustrated example, processing system 244 is in communicationwith aggregator 240, which, as discussed above, can aggregate non-POTSinformation sets received from processing system 244 and POTSinformation sets received directly from discrimination device 232 forconsolidated transmission via interface 236. In effect, discriminationdevice 232 and aggregator 240, perhaps in conjunction with processingsystem 244, can function to separate telecommunication informationreceived on interface 228 into a set of POTS telecommunicationinformation and a set of non-POTS telecommunication information. POTSinformation can be understood to include ordinary telephone signals,(and non-POTS information can be understood to include all othertelecommunication information). The non-POTS information is routed viatransport medium 248 to processing system 244 for processing, and thePOTS information is routed to interface 236 for transmission to theinternal transport medium. In certain embodiments, one or more sets ofnon-POTS information can be routed to interface 236 using transportmedium 252 for transmission through interface 236, perhaps incombination with one or more sets of POTS information.

Of course, discrimination device 232 and aggregator 240 can perform thesame function in reverse, i.e., to separate and recombine different setsof telecommunication information received on interface 236 from thecustomer's premises. Thus, in some embodiments, both discriminationdevice 232 and aggregator 240 each can perform a combineddiscrimination-device—aggregator function, depending on the direction ofinformation flow. In fact, while termed “discrimination device” and“aggregator” for ease of description, those two devices can actually beidentical, and further, their functionality can, in some embodiments, beincorporated into a single device, which could be coupled to interface228, interface 236, and processing system 244, and could routeinformation sets among any of those three components as necessary.Moreover, as described below, the functionality of discrimination device232 and/or aggregator 240 can be incorporated into processing system244; likewise discrimination device 232 can incorporate interface 228and/or aggregator 240 can incorporate interface 236, such thatdiscrimination device 232 and/or aggregator 240 comprise the necessarycomponents to be coupled directly to the external and internal transportmedia, respectively.

Discrimination device 232 and/or aggregator 240 can also serve anotherfunction in certain embodiments: Since the external transport medium iscoupled to first interface 228 and the internal transport medium can becoupled to, inter alia, second interface 236, the discrimination device232 and/or aggregator 240 can serve as an isolation device forintermediating between the two media, such that when a topologicalchange occurs in one of the media, only the NID interface need bechanged, and the other transport medium is not affected. In some suchembodiments, discrimination device 232 and/or aggregator 240 can serveto intermediate (including protocol translation and the like) betweeninterfaces 232, 240, allowing either the internal or the externaltransport medium to be upgraded or changed without impacting the othertransport medium. Of course, in certain embodiments, this isolationfunction also could be performed by processing system 244. In yet otherembodiments, the isolation device might comprise a separate piece ofhardware in communication with discrimination device 232, aggregator 240and/or processing system 244.

NID 200 may also comprise one or more application devices 246, which areusually disposed in the network area 216. The application devices aregenerally provided in communication with the processing system 244 bytransport media 251, 263, and/or 268. In some instances, such asillustrated with application devices 246A and 246B, the applicationdevices may be in communication with interfaces 256 and 260 that allowcommunication with transport media internal to the customer premises,such as over transport media 264 and 269. For example, interface 256could be a coaxial interface for connection to RG6 and/or RG59 cable,and interface 260 could be an RJ45 and/or RJ11 interface for connectionto unshielded twisted pair cable, which can, for instance, form a 10Base-T Ethernet network.

In other instances, such as illustrated with application device 246C,information might be routed from the application device 246C through theaggregator. Such an application may be suitable for applications thatuse IP data, such as a VoIP application. For example, NID 200 mightreceive IP data, perhaps combined with other types of telecommunicationinformation, on interface 228. The information set comprising the IPdata can be routed by the discrimination device 232 via medium 248 toprocessing system 244, where it can be processed. Depending on theembodiment, it could then be routed via transport medium 251 to VoIPapplication device 246C and then provided to the customer's existingtelephone wiring using interface 236, optionally in conjunction withaggregator 240 and/or one or more line drivers. It could alternativelybe routed to any of the other application devices 246A or 246B dependingon their functionality. In this way, the NID can allow virtuallyunlimited connectivity options for each CPE at the customer premises.Adding to the flexibility of NID 200, the processing system 244 couldinclude components to serve, for example, as a cable or xDSL modem, aswell as components to serve as an Ethernet hub, switch, router, orgateway, the functions of each of which are familiar to those of skillin the art.

Furthermore, the application devices 246 may be provided generallywithin the network area 216 or in the consumer area 208, or with some inthe network area 216 and others in the consumer area 208, depending onthe embodiment. This is illustrated in FIG. 5A by showing applicationdevices 246A and 246C disposed within the network area 216 of NID 200and application device 246B disposed within the consumer area 208 of NID200.

There are a variety of different application devices 246 that can beincorporated within NID 200 in order to provide a versatile range offunctionality. The following examples are provided merely by way ofillustration and still other application devices that may additionallyor alternatively be used will be evident to those of skill in the artafter reading this description. One application device 246 that may beincluded is a digital-recorder application device, which could provide amechanism for digital recording of all forms of information incoming toNID 200 and make them accessible to a user at the customer premises. Theinformation that could be recorded includes video, data, voice, amongother types of information. Another application device 246 that may beincluded is a digital storage application device, which could provide asupplementary mechanism for storing information presented to userapplications. The information that could be stored also includes video,data, voice, and other types of information. The combination of thedigital-recorder application device and digital-storage applicationdevice in an NID 200 may be used conveniently to provide primary andsecondary information-storage capabilities. For example, thedigital-recorder application could be used to provide a primary,on-line, video storage capability while the digital-storage applicationcould be used to provide a secondary, off-line, video storagecapability. Still other application devices could be included to enhancesuch functionality further. For example, hard-drive application devicecould be provided to permit expandable storage capabilities.

Other examples of application devices 246 whose functions may beconveniently coordinated include digital-asset application devices. Forexample, one of application devices 246 in NID 200 could comprise adigital-asset sharing application device to permit sharing ofinformation among equipment within the customer premises. Such anasset-sharing capability may be used within the customer premises toshare video, data, electronic books, games, music, and the like. Anotherof application devices 246 could comprise a digital-asset cachingapplication device to permit storage and distribution of digital assets.The combination of digital-asset sharing application devices anddigital-asset caching application devices among a plurality of NIDs 200in a service are could then be used to permit exchange of video, data,electronic books, games, music, and the like among customer premisesthroughout a defined service area. In some instances, a furtherapplication device 246 could comprise a digital-asset protectionapplication device to control the distribution of digital assets inaccordance with legal restrictions, such as those derived from copyrightownership.

In some embodiments, the application devices 246 may compriseapplication devices for effecting various voice-related applicationswithin a customer premises. For example, a voice application devicecould include functionality to provide such functions as telephonecaller identification, call logs, voice mail-storage, voice-mailretrieval, call waiting, solicitation barriers, and the like. Inaddition, a VoIP application device could provide support for VoIPfunctions within the customer premises.

Still other application devices 246 that may be used include varioustypes of informational applications. For example, an online digitalguide application device could be used to provide a digital data guidefor television, music, and other types of programming. Such a data guidecould be provided alternatively in real time or in non-real-time. Afurther example of an informational application could be realized with ahome-utilities application device adapted to provide monitoring and/orbilling tracking functions for utilities used within the customerpremises. In this way, the use and/or cost of electricity, gas, water,and other utilities may be monitored by the customer. In addition, adiagnostic-interface application device may be provided to permitdiagnostic functions of equipment within the customer premises, therebypermitting the customer to obtain information on the functioning of suchequipment.

Other application devices 246 may provide security functions. Forexample, a data security application device may be used to providehacker protection for the home, responding to identified attempts tobreach the security of the customer premises. In addition, ahome-security application device could be provided to monitor thephysical security of the customer premises. Such a home-securityapplication device would typically be provided with an interface to doorand window monitors to determine whether they are open or shut, and withan interface to motion detectors, glass-breaking detectors, and otherphysical security equipment known to those of skill in the art.

Application devices 246 may also be provided to permit various types ofdata-conversion functions to be used by the customer premises. Forexample, a digital-information-conversion application device may beprovided to convert digital information incoming to NID 200 to beconverted to other sources for use by CPE in the customer premises.Thus, incoming digital information could be converted to analoginformation for use by analog equipment, such as an analog television.Similarly, incoming broadcast video could be converted for transmissionto a PDA, and the like. Similarly, a wireless application device couldbe used to provide a wireless interface to the customer premises fordata, video, and other types of information. Merely by way of example,if interface 228 receives telecommunication information that includesdigitally encoded video signals, such as MPEG-2 data, the informationset that includes the encoded video signals can be routed bydiscrimination device 232 to processing system 244. After transmissionfrom the processing system to the information-conversion applicationdevice over transport medium 263, the signals can be decoded intoRF-modulated NTSC, HDTV, PAL and/or SECAM format for transmission viatransport medium 264 to coaxial interface 256, where it can betransmitted via coaxial cable to one or more televisions at the customerpremises. Alternatively, if the customer has a digital set-top boxlocated at the television, the encoded signals can be routed by toaggregator 240, where the signals can be transferred through interface236 to the set-top box for decoding. The ability of NID 200 to supportmultiple interfaces of different types thus allows great flexibility inrouting telecommunication information throughout the customer premises.

Each of the application devices 246 in the NID may include a serviceinterface 277 to permit states of the application devices 246 to bechanged and/or updated. As previously notes, such interfaces maycomprise physical interfaces such as USB, FireWire (IEEE 1394), RJ-11,RJ-45, serial, coaxial, or other physical interfaces, to permit aservice technician to interact with the application devices 246 while atthe site of NID 200. Alternatively, the service interfaces may compriselogical interfaces to permit IP addressing to be used in changing thestate of the application devices. In many instances, NID 200 may alsoinclude a future-application device with open architecture to supportnew applications. The architecture may be configured by use of theservice interfaces 277 when the new application is implemented.

In certain embodiments, NID 200 can comprise a line driver (not shown onFIG. 5A or 5B), coupled to processing system 244 and aggregator 240. Theline driver can function to allow conversion between various networkformats and media, allowing a variety of different media types, e.g.,twisted pair and/or coaxial cable, in accordance with the HPNA and HPNA+standards, as well, perhaps, as the customer premises' A/C wiring, inaccordance, for example, with the HomePlug™ standard, to transportcombined POTS and non-POTS information sets.

In certain embodiments, NID 200 can comprise a power supply 272 forproviding electrical power to the components in NID 200. Power supply272 can be powered through electrical current carried on the externaltransport medium and received on interface 228. Alternatively, powersupply can receive electrical current from a coaxial interface, such asinterface 256, or through a dedicated transformer plugged into an ACoutlet at customer premises, e.g., through 12V connection 276.Processing system 244 can be powered by a connection 280 to power supply272, or through one or more separate power sources, including perhapsthe A/C power of the customer premises. In some embodiments, processingsystem 244 might have its own power supply.

As mentioned above, processing system 244 can comprise a plurality ofprocessing devices, and each processing device can comprise multiplecomponents, including microservers, memory devices, storage devices andthe like. As used herein, a “microserver” is intended to refer to anydevice programmed to perform a specified limited set of functions, suchas an EPROM. Merely by way of example, FIG. 5C provides a detailedillustration of an exemplary processing system 244, which comprisesmultiple processing devices 291. In accordance with the exemplifiedembodiment, transport medium 248 links processing system 244 with anexternal transport medium, perhaps via a discrimination device and/orinterface, as described above.

Transport medium 248 can be coupled to a plurality of microservers 291such that any information received by the processing system 244 viatransport medium 248 may be routed to any of the microservers 291. Eachmicroserver can, in some embodiments, be the equivalent of a servercomputer, complete with memory devices, storage devices, and the like,each of which is known in the art. In FIG. 5C, storage devices 293associated with each of the microservers 291 are shown. Each of themicroservers may be associated with one of the application devices 246to provide information received from transport medium 248 andspecifically processed for use by the corresponding device. Thus, themicroservers 291 may individually be adapted to function as, forexample, HTML microservers, authentication microservers, FTPmicroservers, TFTP microservers, DHCP microservers, WebServermicroservers, email microservers, critical alert microservers,home-security microservers, VPN microservers, advertising microservers,instant-messaging microservers, wireless microservers, RF microservers,test-access microservers, data-security microservers, and the like.

In addition to these functions, microservers 291 can be configured toroute information sets received via transport medium 248, according tothe type of telecommunication information in the set (e.g., encodedvideo, IP data, etc.) as well as any addressing information associatedwith either the set or the information it comprises (e.g., a specifieddestination port or network address for a particular subset oftelecommunication information). In this way, microservers 291 can serveswitching functions somewhat similar to that described with respect todiscrimination device 232 described in relation to FIG. 5A. Forinstance, if IP data is received by microserver 291A, such data can berouted to an Ethernet connection, to the existing telephone wiring,e.g., in an HPNA implementation, or to any other appropriate medium,perhaps via an appropriate line driver. In fact, in certain embodiments,processing system 244, and in particular one or more of microservers291, can incorporate the functionality of discrimination device 232and/or aggregator 240, rendering those components optional. In someembodiments, one or more of the microservers may be adapted to functionas a controller for NID 200, overseeing the NID's state and monitoringperformance. In some embodiments, the controller functions can beaccessed using a web browser.

Processing system 244 can have multiple means of input and output.Merely by way of example, microservers 296 can communicate with one ormore external transport media (perhaps, as discussed above, viaintermediary devices) using one or more transport media (e.g., 248).Processing system 244 also can communicate with one or more internaltransport media via a variety of information conduits, such as category5, 5e and/or 6 unshielded twisted pair wire 268, RG6 and/or RG59 coaxialcable 264, and category 3 unshielded twisted pair copper (telephone)wire 252, again possibly via intermediary devices, as discussed withreference to FIG. 5A. Notably, some embodiments of processing system 244can include interfaces for multiple transport media of a particulartype, for instance, if processing system 244 serves as a networking hub,switch or router. Processing system 244 can also have infra-red andradio-frequency receivers and transmitters, for instance to allow use ofa remote control device, as well as wireless transceivers, for instanceto allow wireless (e.g., IEEE 802.11) networking

FIG. 5D illustrates one example of processing system 244 of NID 200 inaccordance with some embodiments of the present invention where one ofmicroservers 291 is associated with a content object access controldevice 254. Content object access control device 254 can be any hardwareand/or software module that can provide access to content objectsmaintained on a content object storage 253, or via some other contentobject device (not shown). In some cases, content object storage is thesame as local storage 1132 as previously described. Similarly, in somecases, content object access control device 254 can include hardwareand/or software to perform the functions described in relation to localcontrol 1131 above, and to implement the various other content objectaccess routines described herein. Content object storage 253 can be anytype of storage device capable of maintaining and/or accessing contentobjects. Thus, for example, content object storage 253 can be a harddisk drive, a CD-ROM drive, a DVD drive, a personal computer, and/or thelike. In some cases, at least a portion of content object storage isinstalled in NID 200 with other portions installed external to NID 200.In other embodiments, all of content object storage 253 is installed inNID 200, while in yet other embodiments, none of content object storage253 is installed in NID 200. Based on the disclosure provided herein,one of ordinary skill in the art will understand various methods can beused to communicably couple content object storage 253 with NID 200, andto provide access control to/from content object storage 253 via contentobject access control device 254.

By incorporating content object storage 253 with NID 200, access tocontent objects and serving content objects can be provided via thecustomer premises. This can include access to the content objects by auser at the customer premises, or by others external to the customerpremises that are communicably coupled to the customer premises. Thus,for example, a live camera may be placed in communication with contentobject access control device 254. In this way, video information fromthe camera can be accessed by other users via the NID, or by users atthe customer premises via the same NID. Alternatively, or in addition, avariety of content objects can be maintained on content object storage253, and also served to other users and/or utilized by users at thecustomer premises. Content object storage 253 can store content objectsthat are produced at the customer premise, or that are downloaded fromsome content object origination.

In some embodiments, a separate interface is provided for storingcontent objects to one or more offline media. As used herein, offlinemedia is any media that must be installed in an online device to beaccessed. Thus, for example, offline media can include, but is notlimited to, CD-ROMs, DVDs, Flash Cards, floppy disks, tape disks, and/orexternal drives. In some cases, content objects maintained on contentobject storage 253 is written on a track-by-track and sector-by-sectorbasis. In some cases, the information maintained on content objectstorage 253 is in encrypted format, and is decrypted by an applicationoperating on the NID. In other cases, the information is received inencrypted format and is decrypted by the NID prior to storage on contentobject storage 253.

In particular embodiments, a section of content object storage 253 isapportioned to accept firmware updates and/or other updates. In suchcases, such updates can be written to the portion of content objectstorage 253 installed as part of the NID. It should be noted that suchan approach provides for scalability where multiple hard drives, orother storage elements can be added to existing storage elements formingcontent object storage 253.

Turning to FIGS. 6 and 7, one example of a remote door lock utilizingvarious systems and methods of the present invention is illustrated. Asystem 900 includes a global certificate authority 940, a remote accesslocation 960, and a service company's teleconference application 950each communicably coupled to a NID 925 via a global communicationnetwork 930. NID 925 is associated with a customer premises 920, andcustomer premises 920 includes one or more customer premises equipment970 including a gate lock 972, a camera 974, and a doorbell 976. Camera974 and gate lock 972 communicate with NID 925 via a teleconferenceapplication 910.

Turning to FIG. 7, a flow diagram 1000 illustrates a method inaccordance with one embodiment of the present invention, and using thehardware described in relation to FIG. 6 to provide remote access to acustomer's premises. Following flow diagram 1000, a visitor approachescustomer premises 920 and an image of the visitor is detected by camera974 (block 1005). The visitor depresses doorbell 976 (block 1010), andin response a communication is prepared indicating that the doorbell hasbeen actuated (block 1015). This communication includes a digitalcertificate from the doorbell and a digital certificate from the camera.The image captured by the camera is attached to the communication (block1020), and the communication including the digital certificates and theimage is transferred to a pre-designated recipient (block 1025). Thepre-designated recipient can be the owner of customer premises 920, orsome other person, entity, or machine authorized to grant access to thepremises. The recipient receives the communication at a remote location(block 1030), and authenticates the digital certificates from one orboth of the doorbell and the camera (block 1035). Thus, the recipientcan know that the image of the visitor being viewed is from the cameraat the customer premises, and that the request to access the customerpremises is being initiated via the doorbell at the customer premises.The recipient (which could be a machine in particular cases) can thenuse the verified image to identify the visitor and make a determinationabout whether to allow the visitor access to the customer premises(block 1040). Where the visitor is not to be allowed access (block1045), the process ends in the same way that a failure to respond to adoorbell would end (block 1070).

Alternatively, where the recipient decides to grant access (block 1045),an access grant message can be prepared that includes a digitalcertificate associated with the recipient (block 1050). This accessgrant message can then be communicated to gate lock 972 (block 1055),which in turn authenticates the digital certificate of the recipient(block 1060). Where the certificate is properly authenticated, the gateis unlocked (block 1065).

The invention has now been described in detail for purposes of clarityand understanding. However, it will be appreciated that certain changesand modifications may be practiced within the scope of the appendedclaims. Accordingly, it should be recognized that many other systems,functions, methods, and combinations thereof arc possible in accordancewith the present invention. Thus, although the invention is describedwith reference to specific embodiments and figures thereof, theembodiments and figures are merely illustrative, and not limiting of theinvention. Rather, the scope of the invention is to be determined solelyby the appended claims.

1. A method for authorizing access to digital assets, the methodcomprising: receiving, at a global authentication authority coupled to aglobal communication network, access information from a localauthentication authority associated with a network interface device at acustomer premises; and based at least in part on the access informationand an authentication of the network interface device, implicitlyauthenticating or authorizing a digital asset associated with thenetwork interface device.
 2. The method of claim 1, wherein the accessinformation includes a security device received from a one of: a globalauthentication authority and a local authentication authority.
 3. Themethod of claim 1, wherein the network interface device is associatedwith the customer premises, and wherein authenticating the networkinterface device includes receiving at least one digital security deviceassociated with a digital asset maintained in relation to the customerpremises.
 4. The method of claim 3, wherein authenticating the networkinterface device further includes registering the at least one digitalsecurity device associated with the digital asset maintained in relationto the customer premises.
 5. The method of claim 1, wherein the digitalasset is a content object.
 6. The method of claim 5, wherein the contentobject is selected from a group consisting of: a recorded audio, arecorded audio, a live video, a recorded video, an email, a live chat,and a game.
 7. The method of claim 1, wherein the digital asset is acustomer premises equipment.
 8. The method of claim 7, wherein thecustomer premises equipment is selected from a group consisting of: avideo recorder, an audio recorder, a storage device, a personalcomputer, a PDA, a mobile telephone, a dish antenna, a television, arefrigerator, and a security equipment.
 9. The method of claim 7 whereinthe customer premises equipment includes a gate lock, and a camera. 10.A system for authorizing access to digital assets, the systemcomprising: a network interface device comprising a processor and a setof instructions executable by the processor, the set of instructionscomprising: instructions to transmit, over a global communicationnetwork to a global authentication authority, access information from alocal authentication authority associated with the network interfacedevice; instructions to receive, from the global authenticationauthority, an implicit authentication or authorization of a digitalasset associated with the network interface device.
 11. A system forauthorizing access to digital assets, the system comprising: a globalauthentication authority comprising a processor and a set ofinstructions executable by the processor, the set of instructionscomprising: instructions to receive, over global communication network,access information from a local authentication authority associated witha network interface device at a customer premises; and instructions toimplicitly authenticate or authorize a digital asset associated with thenetwork interface device, based at least in part on the accessinformation and an authentication of the network interface device.